Lots of great advice from Schneider Electric regarding SBOM implementation and use (click Read More below). Schneider Electric has emerged as a leader in Software transparency and supply chain risk management (SCRM) practices, separating themselves from other vendors providing OT products to the Electric and Gas industries that lag behind in implementing SCRM best practices. It appears that Rockwell Automation is moving to support NIST Guidelines also. How long will it be before the other vendors listed in Jake Sullivan's memo, linked above, see the benefits of following NIST Guidance, now mandated by US Government Agencies under OMB M-22-18. SBOM's, as recommended by NIST Guidance, are a key part of Secure by Design implementation best practices described in CISA's Software Acquisition Guide along with support from industry for common vulnerability disclosure reporting standards as law in the US.
A single cyberattack that is strategically executed could disrupt everyday life and even result in billions of dollars in revenue loss and business recovery. Recent events such as the SolarWinds, Apache Log4j software library, and OpenSSL vulnerabilities have proven that such an attack is a real possibility.Â
SBOMs provide comprehensive information – such as data on proprietary, third-party, and open-source components and libraries as well as code dependencies, licensing, and provenance
Procurement requirement: It is becoming more common for companies to require SBOMs in contracts as a basic requirement. They can also help validate a vendor’s maturity, transparency, and cybersecurity responsibility in a competitive procurement process.Â
Accelerated vulnerability management: Risk remediation can be accelerated when companies leverage the information in their SBOMs inventory. For instance, Schneider Electric’s SBOMs were helpful during the Log4j and OpenSSL vulnerability events and helped us quickly identify potential risks so we could release customer security advisories in a timely manner.  Â
The time is now for enhancing customer trust with SBOMsÂ
Make SBOMs a policy requirement: Building a repository of SBOMs for a company’s past and present product offerings will take time, but with a policy in place, it won’t be long before a robust inventory of them is built.Â
Take an important step towards a safer and more secure world
Schneider Electric believes that SBOMs can play a significant role in protecting the products and services that are vital to everyday life. And, for our company, SBOMs are another way that is helping us enhance the trust in our solutions that we continually strive to achieve with our customers. Â
Remember, Risk always exists, trust does not always exist. Always ask for the product "trust score" before buying!
Looking forward to seeing friends and colleagues at the March 20 FERC SCRM meeting where lots of interesting SCRM topics will be discussed, including SBOM's role in software risk management and other SCRM best practices. I've reached out to FERC requesting that a "SCRM implementers panel" be permitted to participate in the March 20 meeting; waiting on word from FERC on this proposal.